概覽

Enhance ArcSight 6.0 ESM Security with Fusion

The HP ArcSight Security Intelligence platform is the industry’s leading security information and event management (SIEM) solution for collecting, analyzing and assessing security events. ArcSight ESM sifts through millions of log records, and correlates them to find the critical events that matter, in real time.

Introduction

The HP ArcSight Security Intelligence platform is the industry’s leading security information and event management (SIEM) solution for collecting, analyzing and assessing security events. ArcSight ESM sifts through millions of log records, and correlates them to find the critical events that matter, in real time. It transforms this data into actionable information, presenting it in dashboards, notifications, and reports so users can accurately prioritize security risks and compliance violations. In previous versions of the ArcSight software, as event-ingest volumes increased, write-heavy workloads slowed event correlation. Many organizations, including the US Internal Revenue Service (IRS) deploy a Fusion ioMemoryTM system architecture to eliminate underlying I/O bottlenecks that can adversely impact ArcSight event correlation database processing and to dramatically improve performance.

Acting as a persistent memory tier operating at near-DRAM speeds in the server, Fusion ioMemory products are available in capacities from 365GB to 10TB and have been architected to ensure high reliability and endurance with linear performance scalability.

HP’s highly-anticipated ArcSight ESM 6.0 release includes enhancements that make a joint ArcSight and Fusion ioMemory solution even more powerful. ESM 6.0 replaces the Oracle database that powered ArcSight ESM with HP’s own CORR- engine. Joint ArcSight ESM 6.0 and Fusion ioMemory solutions can analyze much more data, much faster, on much less infrastructure, as compared to hard disk- based solutions, while also reducing capital and operating costs. Systems that implement this solution can achieve the following benefits:

Up to 5X faster event correlation operations using the same hardware

Up to 10X more capacity for event analysis resulting from a new database compression feature

This gives ArcSight customers more security capabilities and the ability to detect more incidents and analyze more data in the same footprint and in much less time.

Optimal Arcsight Performance

Organizations can achieve maximum throughput on the smallest server footprint by moving the entire database onto Fusion ioMemory products deployed in the host server. Because all data is sourced from Fusion ioMemory devices rather than from slower, rotating media such as disk drives, this configuration offers the highest possible events per second. Multiple Fusion ioMemoryTM ioDrive2® products can be aggregated together for a larger single volume of up to 40TB of Fusion ioMemory storage per server.

Maximizing Performance for Very Large Data Sets

If your dataset is too large to fit within a single server, you can achieve similar performance improvements by deploying a shared storage node built with SanDisk ION AcceleratorTM Software and using Fusion ioMemory products configured in a single industry-standard server. Any number of these shared storage data accelerators can be connected to a single ArcSight Database server. The database can then be portioned to take advantage of this additional high-performance flash capacity.

U.S. IRS Case Study

With the previous version of ArcSight, customers typically achieved approximately 35,000 events per second. With ArcSight 6.0, customers are able to double the performance of Fusion ioMemory-based systems and achieve an order of magnitude (10X) improvement over the performance of hard disk based systems.

The U.S. Internal Revenue Service (IRS) recently tested ArcSight 6.0 on an HP DL580 G7 server configured with four Fusion ioMemoryTM 2.4TB ioDrive2® Duo devices. Using Bleep, ArcSight’s built-in performance tool, the IRS achieved up to 70,000 events per second with a base install. After disabling default content, they averaged 109,000 events per second with peak performance at 135,000 events per second. When asked about impact on user experience, the IRS engineer said, “Running Fusion-io and the ArcSight CORR database, our query times have gone from over 30 minutes to under 30 seconds.”

Best Practices

For maximum performance, place the entire database, including logs onto Fusion ioMemory products, either within the server or using the SanDisk ION Accelerator Software shared-storage node option.

When working with large datasets that cannot fit within a single server, utilize one or more of the SanDisk ION Accelerator Software shared-storage nodes.

The performance results discussed herein are based on testing and use of the referenced products. Results and performance may vary according to configurations and systems, including drive capacity, system architecture and applications.